How to configure Flatpak apps for PKCS#11 and smart cards

Flatpak allows users to manually configure filesystem paths that will get passed into the Flatpak application sandbox via flatpak override. This feature can also pass in a unix socket, which works to pass in a dynamically started p11-kit-server socket from the host to access PKCS#11 devices. This will let you access web sites requiring smart card certificate authentication from a web browser installed via Flatpak.

Pre-requisites

• Flatpak installed and working
• Web browser that supports p11-kit installed via Flatpak (ex: Microsoft Edge or Chromium from flathub)
• systemd, pcscd, opensc, and p11-kit packages installed on the host

Procedure

1. Enable the p11-kit-service user socket to automatically activate the server service: systemctl --user enable --now p11-kit-server.socket

2. Check the socket status and information with: systemctl --user status p11-kit-server.socket. The path to the socket is in the output as Listen: /run/user/$UID/p11-kit/pkcs11 which will be used in the next step.

3. Configure Flatpak to add the socket into the app sandbox (here only configured for MS Edge): flatpak override -u --filesystem=xdg-run/p11-kit/pkcs11 com.microsoft.Edge. xdg-run is a special path name Flatpak recognizes and substitutes for the path stored in the $XDG_RUNTIME_DIR environment variable. This is the /run/user/$UID part of the socket path. man flatpak-override for more information.

4. Open the browser app and test logging into a CAC/PIV enabled web site like A365 – it should work. If you haven't installed the DoD Root Certificates, websites that don't use commercial PKI certificates will not function.